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Abstract 

The problem of Authenticated Byzantine Generals (ABG) aims to simulate a virtual reliable 

broadcast channel from the General to all the players via a protocol over a real (point-to-point) 

network in the presence of faults. We propose a new model to study the self-composition of 

P^ ABG protocols. The central dogma of our approach can be phrased as follows: Consider a 

Z) ' player who diligently executes (only) the delegated protocol but the adversary steals some pri- 

jy! , vate information from him. Should such a player be considered faulty? With respect to ABG 

O ' protocols, we argue that the answer has to be no. 



p^ ' In the new model we show that in spite of using unique session identifiers, if n < 2t, there 

^ , cannot exist any ABG protocol that composes in parallel even twice. Further, for n > 2t, we 

design ABG protocols that compose for any number of parallel executions. Besides investigat- 
ing the composition of ABG under a new light, our work also brings out several new insights 
into Canetti's Universal Composability framework. Specifically, we show that there are several 
undesirable effects if one deviates from our dogma. This provides further evidence as to why 
our dogma is the right framework to study the composition of ABG protocols. 
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1 Introduction 

The goal of an Authenticated Byzantine Generals (ABG) protocol is to simulate a virtual reliable 
broadcast channel from the General to all the players via a protocol over a real (point-to-point) 
network in the presence of faults. In general, one may wish to simulate a virtual network which 
may not only involve some reliable/secure channels but also reliable/secure nodes (like a Trusted 
Third Party). Traditionally, the notion of faults in the network is captured via a fictitious entity 
called adversary that can choose to actively corrupt up to any t of the n players. A player is said 
to be non-faulty if he executes only the delegated protocol code and does no more. In contrast, the 
computation performed by the faulty players is chosen by the adversary. 

It is well known that protocols which correctly simulate the desired virtual network may not 
remain correct when run in presence of same/other protocols [CanOl]. For most real life networks 
such as the Internet, a protocol is seldom executed in a stand alone setting. Composition of protocols 
aims to study the correctness/security of protocols when several protocols are run concurrently. 

Over the past few decades security of cryptographic protocols in stand alone settings has been 
studied fairly well. Canetti extended these studies to arbitrary unknown environments by intro- 
ducing the framework of Universal Composability (UC). Ever since, several researchers have built 
on it to prove many exciting results. Besides providing a rigorous and an elegant mathematical 
framework for proving security guarantees of protocols that run in arbitrary environments, UC is a 
classic notion that has seemingly brought secure function evaluation and multi-party computation 
ever close to practice. 

1.1 Prior Work 

Byzantine Generals Problem (BGP) and Byzantine Agreement (BA) were first introduced by 
Pease et al. [LSP82, PSL80]. It is well known that BGP (likewise BA) over a completely con- 
nected synchronous network is possible if and only if n > 3t [PSL80, LSP82]. Later on, the 
problem was studied in many different settings, giving both possibility (protocols) and impossi- 
bility results. Some of the prominent settings are - incomplete networks [D0I8I], probabilistic 
correctness [Rab83], asynchronous networks [FLP85], partially synchronous networks [DDS87], mo- 
bile adversaries [Gar94], non-threshold adversarial model [FM98], mixed adversarial model [GP92, 
AFM99] , hypergraphs [FMOO] to name a few. 

Pease et al. [PSL80, LSP82] introduced the problem of authenticated Byzantine Generals (ABG). 
Here, the players are augmented with Public Key Infrastructure(PKI) for digital signatures to 
authenticate themselves and their messages. Pease et al. proved that in such a model tolerability 
against a t-adversary can be amazingly increased to n > t, which is a huge improvement over 
n > 3t. Being a reasonably realistic model and because of its high fault tolerance, ABG is an 
important and popular variant of BGP and hence, has been faily well studied. Dolev [DS83] proved 
that any ABG protocol over a completely connected synchronous network of n nodes tolerating a t 
Byzantine adversary will require t + 1 rounds of communication. Further, he proposed algorithms 
that takes 0(t + 1) rounds and 0(nt) messages. Authenticating every message being sent by a 
player can be an expensive. Some works have explored cost cutting by considering alternatives to 
authentication and limiting the use of signatures. Specifically, Borcherding [Bor95, Bor96b] explored 
the possibility of using signatures in only some rounds and not all. An alternative line of thought 
was suggested by Srikanth and Toueg [ST87] wherein authenticated messages are simulated by 
non-authenticated sub-protocols. In another work, Borcherding [Bor96a] studied different levels 
and styles of authentication and its effects on the agreement protocols. This work focuses on 
understanding the properties of authentication scheme their impact on building faster algorithms 



for BGP. Gong et al. [GLR95] study the assumptions needed for the authentication mechanism in 
protocols for BGP that use signed messages. They propose protocols for BA that add authentication 
to oral message protocols so as to obtain additional resilience due to authentication. Schmid and 
Weiss [SW04] study ABG under hybrid filure model of node and communication failures. Katz 
et al. [KK09] propose expected constant round ABG protocols in the case n > It. Gupta et 
al. [GGBS10] study ABG in a model where in the adversary can corrupt some players actively and 
some more players passively. Further, they require the passively corrupt player to be consistent 
with the honest players. They show that their model unifies the results of n > 3t (BPG) and 
n > t (ABG). [GKKY10] too explores ABG in a partially compromised signature setting. Bansal 
et al. [BGG + 11] extend the studies of [GGBS10] to the case arbitrarily connected (undirected) 
networks. 

Security of protocols under composition was first investigated in [Ore87, MR91, G094, GK96]. 
Owing to its impact on the modular approach of constructing cryptographic protocols, compo- 
sition of protocols has been well studied in literature. Goldreich and Krawczyk [GK96] studied 
sequential and parallel composition zero-knowledge protocols. They proved that zero-knowledge 
and strong formulation of zero-knowledge (e.g. black box simulation) are not closed under parallel 
execution. Richardson and Kilian [RK99] examined the concurrent composition of zero-knowledge 
proofs. Canetti et al. [CKPR01] proved that Black-box concurrent zero-knowledge requires w(logn) 
rounds. Dwork et al. [DNS04] show that under the assumption of a restricted adversary (they call 
it (a, (3) constraint) there exists perfect concurrent zero-knowledge arguments for every language in 
class NP. Canetti [CanOO] proposed generic definitions of security for multi-party cryptographic 
protocols and proved that the security under these definitions continue to hold under the natural 
composition operation [MR91]. Canetti [CanOl] introduced UC to study the security/correctness of 
protocols when run with arbitrary unknown protocols. [CF01, CK02] study commitments and key 
exchanges under composition. Canetti et al. [CLOS02] show that any two-party and multi-party 
functionality is closed under universal composition, irrespective of the number of corrupted players. 
Canetti and Rabin [CR03] initiated the study of universal composition with joint state. Ben-Or et 
al. [BOHL + 05] took up the study of universal composability in quantum key distribution. Some of 
the recent papers on protocol composition are [Lin03, PS04, HUMQ09, CKS11, CH11, R012]. 

Lindell et al. [LLR02] studied the properties of self composition of ABG. They proved that, over 
a completely connected synchronous network of n players in presence of a ^-adversary, if n < 3i, 
then there does not exist any ABG protocol that self-composes in parallel even twice. Further, for 
n > 3£, they designed ABG protocols that self-compose in parallel for any number of executions. 
Thus, proving the bound of n > 3£ to be tight. In the same work, they also show that if one 
assumes additional facility of unique session identifiers, fault tolerance for ABG under parallel 
self-composition can be restored back to n > t. 

The work closest (yet, incomparable) to our line of thought is the model considered by Canetti 
and Ostrovsky [C099]. They use a slightly different perspective as to what a fault "means". In 
particular, they operate under a model where in all the parties (even uncorrupted ones) may deviate 
from the protocol but under the sole restriction that most parties do not risk being detected by 
other parties as deviating from the protocol. 

Organization of the Paper. In Section 2, we present our case as to why the study of self 
composition of ABG protocols needs a new approach. This renders the model used in the extant 
literature (to study the protocol composition) inappropriate for, at least, a few problems such as 
ABG and necessitates the formulation of a better model. In Section 3, we propose a new model to 
study protocol composition. We prove our results in Section 4. 



2 The Central Dogma 

Consider a player who is concurrently executing several protocols which run as processes. Clearly, 
the player is faulty if any one of these processes deviates from the originally designated protocol 
code. However, there can be faulty players wherein some of the processes continue to diligently 
execute the delegated protocol code. Should such processes be deemed faulty? The answer can be 
no since they diligently execute the delegated protocol, hence, they are certainly not Byzantine 
faulty. On the other hand, the answer can be yes because the player is faulty and therefore, the 
data private to such processes can always be accessed by the adversary 1 . 

All of literature on composition of protocols and in particular, the most recent one on ABG 
[LLR02] has considered such processes to be Byzantine faulty. However, in Section 2.1 and 2.2 we 
argue as to why it is better to model such processes as passively corrupt (similar to honest but 
curious parties). 

2.1 To Make Them Faulty or Not ? 

The extant literature on (unauthenticated) reliable broadcast requires all non-faulty players to 
agree on the same value [PSL80, LSP82]. Consequently, a player can be non-faulty in the following 
two ways - (i) The adversary is absent and (therefore) the player follows the delegated protocol, 
(ii) The adversary is present, but allows the player to diligently follow the delegated protocol and 
therefore, by the virtue of diligently following the protocol the player is non-faulty 

With respect to ABG, the answer does not reveal itself automatically. The issue with ABG is 
more subtle because ABG is spawned by interests across various disciplines. In particular, ABG has 
continuously drawn inspiration from cryptography and in particular secure multi-party computation 
(SMPC). So, in the case of ABG, any attempt to settle the question must consider the cryptographic 
viewpoint. When it comes to defining faults in SMPC, recall that, Ber-Or et al. [BGW88] define 
a player as faulty if and only if the player deviates from the designated protocol. Therefore, w.r.t 
ABG, we have a choice - (i) To punish the player by labelling him as faulty, if the adversary steals 
any private information (such as digital signature) from the player, despite the player diligently 
executing the designated protocol, (ii) To reward the player for diligently following the protocol and 
pay him back for his efforts by not labelling him as faulty (remember, that this player has certainly 
helped in the simulation of broadcast channel by routing several crucial messages). In continuation, 
it is natural to brand all processes, whose private information is stolen by the adversary during 
a cryptographic protocol, as faulty. However, we believe w.r.t. ABG, the answer has to be the 
other way around. One may argue that reliable broadcast is essentially a primitive in distributed 
computing and that authentication was introduced only as a tool. Rather, authentication was only 
a means to facilitate the end (reliable broadcast). This is, however, hardly any reason. To find the 
answer, one must journey to the very heart of every protocol for Byzantine Generals (BG). 

The purpose of any BG (likewise ABG) protocol is to simulate a (virtual) reliable broadcast 
channel over a point-to-point network. Consider a scenario wherein the General is connected to 
all the players via an an actual physical broadcast channel. All the players including those under 
the adversary's control will always receive the same message from the General. The adversary 
can make the players under his influence to discard this message and deviate from the protocol. 
However, if the adversary chooses not to do so for any of the player(s) under his control, then such 
a player(s) will be in agreement with the group of players who were honest. Therefore, any ABG 



*Any process with administrative privileges can always read the data internal to any other process within the 
same system. 



(BG) protocol aiming to truly simulate a broadcast channel must ensure consistency between all the 
players who follow the designated protocol. 

We now elaborate the implications of our dogma on the composition of ABG protocols. It is 
well known that in the stand alone execution model, a i-adversary is free to corrupt up to any t 
players. With respect to parallel composition of protocols, a ^-adversary is free to choose any set 
of < t players and corrupt them in all or only some of the executions. This permits the adversary 
to corrupt different players in different executions i.e. a ^-adversary may as well corrupt, say ti 
players (ti < t) in some of the parallel execution(s) and a different set of £2 players (£2 < t) in 
the remaining execution(s). As long as ti + £2 < t, w.r.t composition, such an adversary is a valid 
t-adversary. 

The above leads to an interesting observation w.r.t composition of ABG protocols - by Byzantine 
corrupting a player in some and not all parallel executions, the adversary can forge messages on 
behalf this player even in those executions wherein this player is uncorrupted. We facilitate the 
same with the help of the following simple scenario: Consider a player P running two parallel 
executions, say E\ and E%, of some (correct) ABG protocol (Figure 1). Further, P uses distinct 
authentication keys, say k\ and /C2 in the executions E\ and E2 respectively. The adversary corrupts 
P in Byzantine fashion only in E\. Consequently, the adversary can forge messages on behalf of P 
in E2 even though P is non- faulty in £2- This is because in E\ the adversary can delegate that code 
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to P which can read the key ki (or for that matter any private data) from the process Ei (Figure 2). 
The above observation can be extended to any number parallel executions E\, E2, ■ ■ ■ , E^. It is easy 
to see that the above observation holds good even if P uses a distinct authentication key in each 
of the parallel executions E\, E2, ■ ■ ■ , E^. 

2.2 New insights into current model 

Besides providing a new model for composing ABG protocols, our work also draws attention to a few 
(not so serious, yet interesting) grey areas in the existing popular models of protocol composition. 
These issues deserve to be discussed in greater detail and we deem that these aspects must be 
studied in depth before one can unleash the paradigm of composability into the real world. The 
following can also be viewed as the ill-effects of modelling the non-faulty processes within a faulty 
player as Byzantine faulty: 

1. Proving incorrect protocols as correct: A very popular paradigm used in the literature to cap- 
ture the security/correctness requirements of a cryptographic protocol is the ideal- world/real- 
world simulation paradigm [CanOl]. Informally, in this paradigm, a protocol is said to be 
correct if for every real world adversary A there exists an ideal world adversary S that can 



match the views of the players and the adversary in the two worlds. We now show that if the 
non-faulty processes within a faulty player are treated as Byzantine faulty, then, using the 
ideal-world/real-world simulation paradigm, the protocols which are incorrect in the stand 
alone settings can be proven to be correct under composition! 

Example: Consider the problem of secure addition - players {P a ,Pb, P c , Pd] start with input 
values {v a ,Vb,v c ,Vd} respectively and wish to find the sum of their combined input values 
without revealing their input value to any other player. Consider a protocol £ which gives 
a random value as the answer. Clearly, in a stand alone setting £ is an incorrect protocol. 
However, one can prove £ to be a correct protocol under composition as follows: Let E\ and 
Ei be two concurrent executions of £. The real world adversary A corrupts player P a actively 
only in E\. In E2, P a executes the code exactly as per the specifications of £. If P a is treated 
as Byzantine faulty in E2, then in the ideal world execution the ideal world adversary S can 
actively corrupt P a in E2 as well. Thus, in the ideal world execution of E2, S sends that 
input value to the TTP (Trusted Third Party) which ensures that the view of the players and 
the adversary in the ideal world and real world is same. Specifically, if in E2, the protocol £ 
gives the answer as v a + v & + v c + v d + r where is r is some positive random number. Then, 
in the corresponding ideal world execution, S on behalf of P a sends v a + r as the input value 
to the TTP. This will ensure that the views in the two worlds are same. 

2. Basing security on internal communication: Let A be a secure composable protocol for some 
problem £. From A one can always construct a new protocol A' as follows: A' is exactly 
same as A except for the following two changes - (i) Every process in A' sends all it's data 
(including its private data) to all the concurrent processes within the same player, (ii) Every 
process in A' ignores this incoming data from any of the fellow concurrent process within the 
same player. Clearly, if A' is secure then so is A. However, is A' secure given A is secure? 
The answer can be no if, in A', the faulty processes chose not to ignore the incoming data. 

This implies that the security definition is dependent on the internal communication between 
the processes within a player. Clearly, one will prefer to have a security definition which does 
not depend on such intricate details. As highlighted by Canetti [CanOO], this preference stems 
from the need and benefits of a simple, intuitive and workable security definition. 

In essence, our dogma is the following: All non-faulty processes, i.e. the processes within a 
non-faulty player that execute the delegated protocol diligently and do no more, are considered 
honest. All Byzantine faulty processes in a Byzantine faulty player are considered corrupt. All 
non- faulty processes within a Byzantine faulty player are considered passively corrupt. We aim to 
study self composition of ABG protocols in this new paradigm. 

3 Model 

We are now ready to present our model. Our model is same as the one used in the extant liter- 
ature [CanOl, LLR02] except for the following (small but important) changes - (i) All non-faulty 
processes within a non- faulty player are considered as honest, (ii) All Byzantine faulty processes 
within a Byzantine faulty player are considered as corrupt, (iii) All non- faulty processes within a 
Byzantine faulty player are treated as passively corrupt, ((iii) follows from the observations made 
in Section 2). Here, a process is said to be non- faulty if it exactly executes the delegated protocol 
code and does no more. Further, a process is said to be Byzantine faulty if it executes the program 
code of adversary's choice. 



We consider a set of n players, ¥={pi,p2, ■ ■ ■ ,p n }, over a completely connected synchronous 
network. Any protocol in this setting is executed in a sequence of rounds where in each round, 
a player can perform some local computation, send new messages to all the players, receive mes- 
sages sent to him by other players in the same round, (and if necessary perform some more local 
computation), in that order. The notion of faults in the system is captured by a virtual entity 
called adversary. During the execution, the (polynomial-time) adversary 2 may take control of up 
to any t players and make them behave in any arbitrary fashion. Such an adversary is called as a 
t-adversary. Further, the players can invoke multiple parallel executions of any protocol. We model 
this via players running multiple processes in parallel. We assume that the communication channel 
between any two players is perfectly reliable and authenticated. We also assume existence of a 
(signature/authentication) scheme via which players authenticate themselves. This is modelled by 
all the players having an additional setup-tape that is generated during the preprocessing phase. 
Note that keys cannot be generated with in the system itself. Similar to [LLR02], it is assumed 
that the keys are generated using a trusted system and distributed to players prior to running of the 
protocol. Typically, in such a preprocessing phase, signatures and verification keys are generated. 
That is, each player gets his own private signature key, and in addition, public verification keys 
for all the other players. No player can forge any other player's signature and the receiver can 
uniquely identify the sender of the message using the signature. However, the adversary can forge 
the signature of all the t players under its control. The adversary can inject forged messages, on 
behalf passively corrupt processes, via Byzantine corrupt processes. Further, we assume that each 
run of a protocol is augmented with unique session identifiers (USIDs). 

3.1 Defining Composable ABG 

We use the well established ideal/real process simulation paradigm to define the requirements of 
ABG. Both the ideal process and the real process have the set P of n players including the General 
Q as common participants. Apart from these, the ideal process has a TTP (Trusted Third Party) 
and an ideal process adversary S whereas the real process has a real process adversary A. We start 
by defining the ideal process for ABG. 

Ideal process ('5 ideal)'- (1) Q sends his value v to TTP. (2) TTP forwards the same to all the n 
players and S. (3) All honest players output v . S determines the output of faulty players. 
We assume that all message transmissions in the above protocol are perfectly secure. 

Let IDEALTTP,s(v,rs,l^) denote a vector of outputs of all n players running ^ ideal where Q 
has input v, S has random coins r$ and r where ~r= r±,r2, ■ ■ ■ , r n , tttp'i r i> r 2 5 • • • , r n and tttp 
are the random coins of n players and the TTP respectively. IDEALttp,s( v ) denotes the ran- 
dom variable describing IDEALTTP,s{ v i r s-, < ) when r$ and r are chosen uniformly at random. 
IDEALttp,s denotes the ensemble {IDEALttp,s{v)}v€{q,i}- 

Real life process (^ rea [(U)): Unlike in the ideal process, here the players interact among them- 
selves as per a designated protocol LT and the real process adversary A. Specifically: (1) Every 
honest player proceeds according to the protocol code delegated to him as per LT. (2) The adversary 
A may send some arbitrary messages (perhaps posing as any of the corrupt players) to some/all 



2 Digital signatures based authentication necessitates the assumption of a polynomial-time adversary. Our im- 
possibility proofs do not need this assumption but our protocols require a "magical" means to authenticate if the 
adversary is unbounded. 



of the players. (3) Honest players output a value as per II. A determines the output of faulty players. 

Let REALn,A( v ^ r Ai ' ) denote a vector of output of all n players running ty rea i(l£) where Q has 
input v, and r,4,~r = r±, r-i, . . . , r n are the random coins of the adversary and n players respectively. 
Let REALyi : a( v ) denote the random variable describing REALjj,A( v ^ r A^ ' ) when ta and 7* are 
chosen uniformly at random. Let REALji^a denote the ensemble {REALu,a( v )}v&{o,i}- 

We directly adopt the definitions of Lindell et al. [LLR02] . 

Definition 1 (ABG) LT is an ABG protocol tolerating a t-adversary if for any subset I C P of 
cardinality up to t (that is , \I\ < t), it holds that for every probabilistic polynomial-time real process 
adversary A that corrupts the players in I in ^f rea i(JI), there exists a probabilistic polynomial- 
time ideal process adversary S in ^f ideal that corrupts the players in I, such that the ensembles 
IDEALttp,s an d REALji,a are computationally indistinguishable. 

Definition 2 (Composable ABG [LLR02]) Let LT be an ABG protocol. LT is said to remain 
secure under parallel composition if for every polynomial time adversary A, the requirements for 
ABG (which is elaborated in Definition 1) hold for II for every execution within the following 
process: Repeat the following process in parallel until the adversary halts: 

1. The adversary A chooses the input v for the General Q . 

2. All players are invoked for an execution of li (using the strings generated in the preprocessing 
phase and an unique session identifier for this execution). All the messages sent by the 
corrupted players are determined by the adversary A, whereas all other players follow the 
instructions o/IL 

Furthermore, as noted by Lindell et al, Definition 2 implies stateless composition i.e. all honest 
players are oblivious to the other executions taking place in parallel. In contrast, the adversary A 
can coordinate between the parallel executions, and the adversary's view at any given time includes 
all the messages received in all the executions. 

3.2 Our Results 

Recall that in the absence of unique session identifiers, ABG is not self-composable even twice if 
n < 3t [LLR02]. We prove that unique session identifiers aid in improving the fault-tolerance of 
ABG protocols (that compose in parallel) but from n > 3t only to n > It. We, now, present the 
main theorem of this paper: 

Theorem 1 (Main Theorem) ABG over n players, tolerating a t-adversary, can be self- composed 
in parallel for any number of executions if and only if n > 2t. 

To put things in perspective, one can achieve the bound of n > t for (a simplified variant of) 
ABG [LLR02] if one makes the following assumption: Only those non-faulty processes that run in 
non-faulty players need to be consistent, others need not, where a process is faulty if it deviates 
from the designated protocol. 



4 Complete Characterization 

The aim of this section is to prove aforementioned Theorem 1. We begin with a few definitions: 

Definition 3 (Adversary Structure) An adversary structure Z for the player set ¥ is a collec- 
tion of plausible sets of players which can be corrupted by the adversary. Formally, Z C 2 P , where 
all subsets of Z are in Z if Z 6 Z. 

Definition 4 (Adversary Basis) For an adversary structure Z, Z denotes the basis of the struc- 
ture, i.e. the set of the maximal sets in Z: Z = {Z € Z : $Z' € Z : Z C Z'} 

4.1 Qualifiers 

We first prove that there does not exist any ABG protocol that self-composes in parallel even twice 
over a network of 3 players, F={A,B,C}, tolerating an adversary basis A = {((C), (^4)); ((^4), (0)); 
((B), (A))}. Here, ((x),(y)) represents a single element of the adversary basis such that the adver- 
sary can Byzantine corrupt x and y in the first and second parallel execution, respectively. For the 
rest of this paper il^ (likewise A/%) denotes an ABG protocol n (A) that remains correct upto k 
parallel self-compositions. 

Before presenting the proof, we make a few comments on the proof style. As was with Lindell et 
al. (the base case of their work draws inspiration from [FLM85]), we establish ours on [GGBS10]. 
We, however, note that the overlap ends there. We remark that this is not a serious concern and 
if at all everything but a testimony to the impact of [FLM85] . 

Theorem 2 There does not exist any TI2 over a network of 3 nodes, ¥={A,B,C}, tolerating an 
adversary basis A = {((C), (A)); ((A), (0)); ((B), (A))}. 

Proof: Our proof demonstrates that the real process adversary (characterized by A) can make the 
non-faulty processes in one of the parallel executions of any ABG protocol to have an inconsis- 
tent output. In contrast, in the corresponding ideal world execution the non- faulty processes are 
guaranteed to have a consistent output. It then follows that there does not exist any ideal world 
adversary S that can ensure that the output distributions are similar. This violates Definition 2, 
hence the theorem. 

To prove that A can ensure that the non-faulty processes in 
one of the parallel executions do not have a consistent output, we 
assume otherwise and arrive at a contradiction. We accomplish the 
same using the ideas from the proof technique developed by Fischer 
et al. [FLM85]. 

Formally, assume for contradiction that there exists a protocol 
II2 over M (Figure 3), ¥={A,B,C}, tolerating the adversary basis ^4 B 

A = {((C),(A));((A), (0)); ((B), (A))}. Using U 2 , we create a pro- Figure 3. Network ^ 

tocol IT [Definition 5] in such a way that existence of II2 implies 

existence of IT (Proposition 5.1). We, then, combine two copies of II' to construct a system jC 
(Figure 4) and show that C must exhibit contradictory behaviour. It then follows that the assumed 
protocol II2 cannot exist. 

We do not know what system C solves. Formally, £ is a synchronous system with a well defined 
behaviour. That is, for any particular input assignment C exhibits some well defined output 
distribution. We obtain a contradiction by showing that for a particular input assignment, no 
such well defined behaviour is possible. No player in C is aware of the complete system, rather 
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Figure 4: Construction of C using two copies of II'. 

each player is aware of only his immediate neighbours. In reality, a player may be connected to 
either A or A' 3 , but he cannot distinguish between the two. He knows his neighbours only by 
their local name, in this case, A. Further, all players in C are oblivious to the fact that there are 
duplicate copies of the nodes in C. Specifically, for all X E {^4, B, C}, £ is constructed in a manner 
such that the in-neighbourhood of any node X(or X') in C is same as the in-neighbourhood of the 
corresponding node X in TV. 

Let the players in C start with input values as indicated in Figure 4; and a be the resulting 
execution. All the players in a are honest and diligently follow IT. Further, let E\ and Ei be two 
parallel executions of H2 over J\f. We, now, define three distinct scenarios - a\, 012 and 013 : 

• a±: In E\, A is the General and starts with input value 0. A Byzantine corrupts C in E\. 
In E2 A Byzantine corrupts A. 

• «2 : hi Ei, A is the General. Further, in Ei, A corrupts A, interacts with B as if A started 
with input value and interacts with C as if A started with input value 1. 

• CX3: In Ei, A is the General and starts with input value 1. A Byzantine corrupts B in Ei. 
In E2 A Byzantine corrupts A. 

We claim that, in execution a, both A and B decide on 0. Similarly, we claim that both C and 
A' in a decide on 1. Further, we claim that in a both B and C must decide on the same output 
(Figure 5). [To avoid clutter we defer the proof of these claims to Lemma 4, 6 and 8.] However, in 
a, players B and C have already decided on and 1, respectively. Hence, C exhibits a contradictory 
behaviour. ■ 



To complete the above proof, we now define the protocol n' [Definition 5] and show that 
existence of H2 implies existence of n' (Proposition 5.1). We then prove the left out claims via 
Lemma 3 - Lemma 8. 

Definition 5 (n ; ) For player B, every statement in TI2 of the kind "B sends message m to A" 
is replaced by "B multicasts message m to all instances of A" (i.e. A, A') in n'. Similarly, every 



i A and A' are independent copies of A with the same authentication key. 




Figure 5: Player's output in execution a. Contradiction is shown via red rectangle 

statement of the kind "C sends message m to A" in II2 is replaced by "C multicasts message m to 
all instances of A" (i.e. A, A') in IF. Rest all statements in IF are exactly same as those in IT2. 

Proposition 5.1 If II2 exists, then so does IF. 

Proof: Follows directly from Definition 5. Given II2, one can always construct IF by making ap- 
propriate changes in II 2 as per the definition of IF. ■ 

Rest of this section focuses on proving Femma 3 - Femma 8. The proofs are conceptually simple 
however, owing to the "topology" of system C and presence of authenticated messages, some of 
the proofs (Femma 3, 5 and 7) have tedious details. A reader interested in the proof of our main 
theorem can directly jump to Section 4.2. 

We begin by introducing the terminology used in the proofs. Fet msg^(x,y) x denote the 
message sent by player x to player y in round i of execution £1. The x in the subscript refers 
to the last player who authenticated this message. W.l.o.g, we assume that every player always 
authenticates every message sent by him. Further, let V^i denote view of player x at the end 
of round i in execution Q. Intuitively, V^ i consists of everything that player x ever "sees" from 
round 1 until the end of round i in execution £1. For our setting this includes (w.r.t execution 
O) - (i) Input value (if any) of x : I x . (ii) Secret key used by x for authentication : SK X . (hi) 
Protocol code executed by x : 9^. (iv) Set of all the messages sent by x until the end of round i 
: \/z G P, V/c G (1, *), Ufc( ms Sfc i x i z )x)- (v) Set of all the messages received by x until the end of 
round i : \/z G P, V/c G (l,i), {J k (msgj}(z,x) z )- Formally: 



VI 



1?, SK,^, 0" \J(msg%(x,z) x ), {J(msg£(z,x) 



; Vz GP, \fk G (l,t) 



(1) 



Since the messages sent by player x in round i of 0, is a function of re's view until the end of round 
i — 1 (i.e. V^i-i), Equation 1 can be rewritten as: 



V ... 



4\ SK%, e {J(msg%( 



z,x) 



VzgP, Vke (i,i) 



(2) 



Our proofs will often have statements of the following form - view of player x until round i of 
execution 7 is same as the view of player y until round i of execution 5 (dubbed as V^ ~ VyA. In 
order to prove such statements we will use the following observation:- 
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V2i ~ Vyi *"• ana - onr y in the following conditions hold: 

(i) n = 2* 

(ii) SKI = SK, s y 

(hi) 02 = 6** 

(iv) Vz G P, V7c G (l,i), msgl(z,x) z = msg 5 k (z,y) z 

Through out our proofs conditions (i), (ii) and (hi) will be trivially satisfied. Thus, our proofs will 
focus on proving condition (iv). For brevity we say: 

V2,i ~ Vy,i ^ Vz G P, VA; G (1, i), ™^( 2| x) 2 = 7n Sff £(z, j/) a (3) 

Let Vi7 denote view of x at the end of execution 7. Then, 

vj ~ y/ iff vfc > 0, v£ fc ~ v^ (4) 

Combining (3) and (4), we get 

Vg ~ V^ iff Vz G P, V£ > 0, m^( 2) x) z = m^(z, y) 2 (5) 

Though conceptually simple, proving the right hand side of Equation 5 can be a tedious task. 
This is because the use of authentication limits the adversary's ability to send forged messages. 
Hence, one must formally establish that the adversary can indeed ensure that the right hand side of 
Equation 5 holds true. To facilitate the same, we introduce the notion of execution trees. To under- 
stand the utility of execution trees, let us revisit the scenarios a and ct\ as defined in the proof of 
Theorem 2. Recall that the proof requires us to show that Vz G {A, B, C}, \/k > 0, msg k (z, A) z = 
msg k 1 ' ai (z,A) z . Note that what A receives in round i of a (likewise E\ : a\) depends on what B 
and C send him in round i of a (likewise E\ : ot\). So, we need to argue that these messages, sent 
in round « of a and E\ : a\ respectively, are either same or can be made same by the adversary. 
The messages sent by B and C in round i of a (likewise E± : u\) depend on what they themselves 
receive in round i — 1. This in turn depends on what A and C (likewise, A and B) send to B 
(C) in round i — 2 of a (E\ : a±). Thus, we need to argue that the adversary can ensure that 
whatever messages A, C (likewise, A and B) send to B (C) in round i — 2 of a is same as whatever 
messages A,C (A and B) send to B (C) in round i — 2 of E\ : cx\. Note that this continues in 
a recursive manner until the recursion stops at round 1. The entire recursion can be visualized 
as trees, T^ and T A lMl , rooted at A for executions a and E\ : a\ respectively, as shown in Figure 6. 

An execution tree can be regarded as a "visual" analogue of Equation 5. Formally, Tj^ is n-ary 
tree i.e. a node can have upto n children, where n is the number of players (P) participating in 
execution Q. Each node has a label I G P. The root node of Tj^ has label X. The levels of the tree 
are named in a bottom up manner. The lower most level is 1, the one immediately above it is 2 
and so on. A node x is a child of node y if and only if x is in the in-neighbourhood of y in execution 
0,. Thus the number of children of any node z is same as the size of the in-neighbourhood of z. An 
edge from node y at level j to node x at level j + 1 in the tree represents the message that y sends 
to x in round j of Q. All the edges in the tree are directed from child to parent and are between 
adjacent levels only. Let T^ t denote the execution tree of x until round i in execution Q. 



4 [FLM85] referred to these conditions as Locality Axiom. In the case of ABG, the secret key used by a player 
is definitely a part of his view. Hence, we added condition (ii). 

5 We remark that 92 can differ from 9 y . However, as long as long as they generate the same message for any player 
z i.e. Vx,y,z msgj(x,z) x = msgf(y, z) y , it suffices for our proof. 
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Figure 6: T^ and T^ 1 '" 1 at the end of k rounds. 



We note the following - to show that a player, say x, receives same messages in two different 
executions, say 7 and 5, it suffices to show that execution trees T2 and T% are similar. To prove 
this similarity, we will use induction on the heights of T2 and T".. 

As a prelude to proving Lemma 3, we present adversary's strategy in E\ : ct\. Recall that we 
defined scenario ot\ as: In E\ A is the General and starts with input value 0. A Byzantine corrupts 
C in E\. In Ei A Byzantine corrupts A. 

Adversary's (A) strategy in E\ : a.\ is as follows: 

1. Send outgoing messages of round i: Based on the messages received during round i — 1, A 
decides on the messages to be sent in round i. For round 1, A sends to B what an honest 
C would have sent to B in execution E\ : ai- For i > 2, A authenticates msg i 2i* 1 (B,C)B 
using C"s key and sends it to A. For msgAi ai {A, C)a, A. examines the message. If the 
message has not been authenticated by B even once, it implies that the message has not 
yet been seen by B. Then, A sends a message to B which is same as what C would have 
sent to B in round i of execution E\ : oli- Formally, A constructs msgA^ 1 {A, C)a such 
that msgAf 1 (A, C)a = fnsg i 2 1 °' 2 (A,C)A- Note that this is possible because A is actively 
corrupt in E2 : a\ and therefore A can forge messages on behalf of A in E\ : a±. A then 
authenticates msgA^ L1 {A, C)a using C's key and sends it to B. However, if the message has 
been authenticated by B even once, then A simply authenticates msgA[ ai (A, C)a using C's 
key and sends it to B. 

2. Receive incoming messages of round i: A obtains messages msg i 1 ' 0tl (A, C)a and msg i 1 ' Q1 (B, C)b 
via C. (These messages are sent by A and B respectively to C in round i). Similarly via A, A 
obtains messages msg i 1 '°' 1 (B,A)b and msg i 1 '° 1 (C, A)q. (These are also round i messages 
sent by B and C respectively to A. Players respectively compute these messages according 

to their respective view until round i — 1). 

Lemma 3 A can ensure V£ ~ T/f i:ai and Vg ~ Vjf i:ai . 



Proof: Using induction on i, we show that for any round i, TJ^ ~ T A ^ ai . It then follows that 

T% ~ Tf i;Ql . Combining this with Equation 5 gives V% ~ Vf vcn . 

Note that owing to the topology of C, only nodes present in T^ are A, B, C and A'. B' and 
C' do not occur in T^. Hence, A' has an outgoing directed edge only and only to C. Likewise, A 
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has an outgoing directed edge only to B. Corresponding nodes present in T A lMl are A, B, C and 
A respectively. We analyse T A and T A ' ai in a bottom up manner. 

Base Case: 

?; = 1 

Consider round 1 of executions a and E\ : o.\. Corresponding execution trees T A1 and T. 1 ^ 1 
are shown in Figure 7. Now, B starts with same input, secret key and executes same code in a 
and Ei : «i i.e X% = lf i:ai , SIC% = 5/C| i:Ql and 9% = flf i:Ql (the last equality follows from our 
definition of II' [Definition 5] ). Thus, B will send same messages to A in round 1 of a and E\ : a\ 
i.e. msgf(B,A)B = msg 1 1 ' ai (B,A)B- Since C is Byzantine corrupt in E\ : a\, A can ensure that 
msgf(C,A)c = msgf^{C,A) c . Thus, T% x ~ lf{ a K 

A A 

/\ /\ 

B C B C 

Figure 7: T% A and T^{ ai . 



We show that the similarity holds for round 2 as well. Consider T A2 an d T. 1 ^ 1 as shown in 
Figure 8. Now, 1% = l A i:ai , SK, a A = SJCf :ai , 6% = 0f xai and X% = Zf i:o \ <S/C| = <S/C| i:Q! \ 
0g = e^' M1 . Thus, ms 5 f(A,S) A = msgf vai (A,B) A and msg?(B,C) B = msgf vai (B,C) B . Since 
C is Byzantine corrupt in E\ : a±, A can ensure that msgf(C, B)c = msg 1 1,ai (C,B)c- 

A A 



B C B C 

A A A A 

A C A' B A C A B 

Figure 8: T% 2 and r^ :ai . 

Now, X^, ^ X A ' ai , thus ms5°(A',C)^4' ^ msg 1 1 ' ai (A, C)a- However, since A is Byzantine 
corrupt in E 2 : a±, A can forge messages on behalf of A in E\ : ol\ (follows from observations made 
in Section 2.1). A can use this to simulate C having received same messages in round 1 in E\ : a\ 
and a. 

Specifically, as C is Byzantine faulty in E\ : a\, A can construct msg 1 1 ' ai (A, C)a in a way 
such that msg 1 1 ' ai (A, C)a = msgf(A',C)A'- Now B receives same round 1 messages in E\ : a\ 
and a and B has same input value, secret key and executes same code, thus msg 2 1 ' ai (B,A)s = 
msg 2 (B, A)b- Thus, edge BA (between levels 2 and 3) in T A2 ai is same as the corresponding edge 
BA in T A2 . Since, C is Byzantine corrupt A can ensure that msg 2 1 '°' 1 (C,A)c = msg 2 (C,A)c- 
Therefore, A can ensure that the edge CA (between levels 2 and 3) in T A 2 ai is same as the corre- 
sponding edge CA in T% 2 . Thus, TjJ 2 :ai ~ T% 2 . 

Induction hypothesis : Let it be true for all rounds upto k i.e. Vi, i < k, T Ai ~ T A \' ai . Likewise 

vt, i < k, t%. ~ r|v ai 
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Induction step: We now prove that the similarity holds for round fc + 1 as well i.e. T Ak+1 
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Figure 9: T? fc+1 and rg£. 



Consider T Ak+l and T^'"^ as shown in Figure 9. Consider the edges between level fc and 
k + 1. From the induction hypothesis, we have Vj < k, T%^ ~ rjJ :Q1 . Further, X^ = Zf i:ai , 
<S/C| = SKj^' ai , 6 A = 9 A ' ai . Thus, A sends same messages to B in round k of both the executions 
i.e. msg k 1 ' Ql (A, B)a = msg k (A, B)a- Thus, edge AB (between levels k and k + 1) is same in both 
the trees. Likewise, from the induction hypothesis we have Vj < k, Tg ■ ~ T B • Q1 . Therefore, 

msg k 1 ' ai (B,C)B = fnsg k (B,C)B- Hence, edge i?C (between levels k and fc + 1) is same in both 
the trees. 

Now, consider the nodes - A' at level k in T A and the corresponding node A in T A 1,ai . For 
time being assume 6 that \/j < fc, T^, ■ ~ T^ 1 '" 1 . We claim that A can simulate C at level k + 1 in 

T^ 1 '" 1 to have received messages from A' exactly same as the messages received by C at level fc + 1 
in T A . This is because A is Byzantine corrupt in Ei : a±, thus A can forge messages on behalf of A 
in Ei : a\. Formally, A constructs msg k v ' ai (A', C)a> such that msg k v ' ai (A', C)a> = msg k (A, C)a- 
Thus, A can ensure that the edge A'C (one between levels k and fc + 1) in T^^S * s same as the 
corresponding edge AC in T A J^ . 

Now, Xq = Z^ 1 '" 1 , SICq = SKq 1 ' 011 , 8^ = Qq' 011 Thus, C sends same round fc + 1 messages to 
A in a and E\ : ct\ i.e. m^j'" 1 (C, A)c = msg k+1 (C,A)c- Thus, edge CA (one between levels 
fc + 1 and fc + 2) in T^'"^ is same as the corresponding edge AC in T^^'"^. Similarly one can argue 
that the edge BA (one between levels fc + 1 and fc + 2) in T A x k ?\ is same as the corresponding edge 
BA in T Ak+l . Thus, A can ensure that T Ak+l ~ ^a^+v Since it is true for all values of k, we 
haveT^~Tf :ai . 

The proof for V§ ~ V B 1 ' ai follows on very similar lines, we omit the details. ■ 



Lemma 4 In execution a, players A and B output 0. 

Proof: From Lemma 3, it follows that player A cannot distinguish execution E\ of scenario ct\ 
from execution a (dubbed as E\ : a\ ~ a). Similarly, to player B execution E\ of scenario u\ is 
indistinguishable from a (E\ : a.\ ~ a). In E\ : a\, as per the definition of ABG [Definition 2] both 



Using induction on the value of j, one can show that the assumption is true. 
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A B 

A and B will decide on 0. Since, E\ : a± ~ a and E\ : a.\ ~ a, in a too A and B will decide on 0. 

(We are able to make claims about the output of A and B in a as they cannot distinguish E\ : a\ 

from a. Thus, by analysing their output in E\ : a±, we can determine their output in a.) m 

Adversary's strategy in E\ : 012 - 

(Recall that adversary Byzantine corrupts A only in E\ : 0.2) 

1. Send outgoing messages of round i: Based on the messages received during round i — 1, A 
decides on the messages to be sent in round i. For round i, i > 1, A sends to B what an 
honest A would have sent to B in execution E\ : oc\. Formally, A constructs msg i 1 '°' 2 (A, B)a 
such that msg i 1 '° l2 (A, B)a = Tnsg- 1 ' ai (A, B)a- Likewise, A sends to C what an honest A 
would have sent to C in execution E\ : 03. Formally, A constructs msg i 1 ' OL2 (A, C)a such that 
msg i 1 '°' 2 (A, C)a = msg i 1 ' a ' i (A, C)a- Since A is Byzantine faulty in E\ : 02, A can always 
send the above stated messages. 

2. Receive incoming messages of round i: A obtains messages msg i 1 ' 02 (B,A)b and ms^ 1 ' 0i2 (C,A)c 
via A. 

Lemma 5 A can ensure V§ ~ Vf i:c * 2 and Vg ~ v£ i:a2 . 

Proof: Using induction on i, we show that for any i, T^ i ~ T B \' a2 . This implies Tg ~ Tg 1 '" 2 . 
From Equation 5 it then then follows that Vg ~ Vg 1 '" 2 . 

Base Case: 

i = 1 

Consider TJ 1 and Tg^'" 2 are shown in Figure 10. C does not have any input in either a or E\ : a.2- 
Thus, Xq = X c x ' a2 holds trivially. Further, C starts with same secret key and executes same code 
in a and E\ : ct2 i.e SJC^ = SICq 1 ' 02 and 6q = Og 1 ' 012 . Thus, it will send same messages to B in 
round 1 of a and E\ : «2 he. msg 1 1 ' a2 (C,B)c = msgf(C,B)c- Since A is Byzantine corrupt in 
Ei : a 2 , A can ensure that msgf i:a2 (A, B) A = msgf(A,B) A - Thus, T§ A ~ TJjff 3 * . 

B B 

/\ /\ 

AC AC 

Figure 10: T% 1 and T|\ :Q2 . 



We now argue that the similarity holds for round 2 as well. Consider Tg 2 an d Ign'" 2 as shown 
Figure 11. Now, B does not have any input in either a or E\ : 012, thus Zg = X B x ' a2 is trivially 
true. Further, SK.% = SK% i:a2 and 6% = 6^ :a \ Hence, msgf i:a2 (B,A) B = msgf{B,A) B and 
msg l 1 ' OL2 {B,C)b = msgf(B,C)B- Likewise, C does not have any input in a and E\ : 02, hence, 
Zg = Z^ i:Q2 . Also, S/C£ = SJC^ i:a2 and 9% = 9% i:a2 . Hence, msgf i:a2 (C,A) c = msg?(C,A) c . 
Since, A is Byzantine corrupt in E\ : 02, A can ensure that msgf (A',C)a' = msg 1 1 '° l2 (A, C)a- 

On similar lines, one can get msg 2 1 ' CC2 (C,B)c = msg2(C,B)c- Since, A is Byzantine corrupt 
in Ei : a 2 , A can ensure that msg% i:ci2 (A, B) A = msg%(A, B) A . Thus, T% 2 ~ tJ^" 2 . 
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Figure 11: Tg 2 and T^" 1 . 



Induction hypothesis : Let it be true for all rounds upto k i.e. Vi, i < k, TS • ~ A A 2 . Likewise 



v», i < fc, i& ~ rg- 2 



Ei:ct2 



Induction step : We now show that the similarity holds for round k + 1 too i.e. Tg fc+1 ~ ^b fc+i- 
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Consider Tg fc+1 and TgA 2 ^ as shown in Figure 12. Consider the edges between level k and 



k + 1. From the induction hypothesis, we have Vj < k, Tg 



SK.% 



SIC 

E\:a.2 , 
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, "B 



■\E\:ai 
1 B 



Tfp. Now, 1% 



I 



E\:ot2 



B 



. Thus, B sends same messages to A in round k of both the executions 
i.e. msg k ± "~ 2 (B,A)B = msg k *(B,A)B- Thus, edge BA (between levels k and k + 1) is same in 
both the trees. Likewise, B sends same messages to C in round k of both the executions i.e. 
msg k 1 '°' 2 (B,C)B = msg^(B,C)B- Thus, edge BC (between levels k and k + 1) is same in both 
the trees. 

From the induction hypothesis we have Vj < k, Tgj ~ X^A 2 . Since, Xg = 2^ i:aa , 5/Cg = 

SICq 1 ' 012 and 6^ = C 1,C * 2 , therefore, C sends same messages to A in round k of both the executions 
i.e. msg k 1 ' a2 (C,A)c = msg k (C,A)c- Hence, edge CA (between levels k and k + 1) is same in 
both the trees. 

Using same arguments as in preceding two paragraphs, we get C sends same messages to B 
in round k + 1 of both the executions i.e. msg k ^ 2 (C,B)c = msg k+l (C,B)c- Hence, edge CB 
(between levels k + 1 and k + 2) is same in both the trees. Now, given A is Byzantine faulty in 
Ex : «2! «4 sends that ms<7 fe A 2 (A, B)a which ensures rnsg k A 2 (A, B)a = msg k , X (A, J3)^. Thus, 
the edge AB (between levels k and k + 1) is same in both the trees. 

The proof for V^f ~ V^ 1 '° 2 is nearly a repetition of the above arguments. Details omitted. ■ 

Lemma 6 In execution a, output of B will be same output of C . 
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Proof: From Lemma 5, we get that player B cannot distinguish execution E\ : a<i from a (dubbed 

as E\ : «2 ~ a). Similarly, to player C execution E\ : Q2 is indistinguishable from a (Ex : o<2 ~ a). 
Since, the General (A) is Byzantine corrupt in E\ : 0:2, from the definition of ABG [Definition 2], 
in E\ : a.2, B and C must have the same output. Then, so must B and C in a. ■ 

Adversary's strategy in E± : a.% - 

(Recall that in 0:3 A Byzantine corrupts B in E\ and A in E2.) 

1. Send outgoing messages of round i: Based on the messages received during round i — 1, A 
decides on the messages to be sent in round i. For round 1, A sends to C what an honest B 
would have sent to C in execution E\ : ai- For i > 2, A authenticates msg^'^ 3 (C, B)c using 
S's key and sends it to A. For msg i ^ 3 (A, B) A , A examines the message. If the message 
has not been authenticated by C even once, it implies that the message has not yet been 
seen by C. Then, A authenticates and sends a message to C which is same as what B would 
have sent to C in round i of execution E\ : 02- Formally, A constructs msg^^ 3 (A, B) A such 
that msgf2{ a3 (A,B) A ~ msgf2[ a2 {A,B) A . A then authenticates msgf^ 1 {A, B) A using B's 
key and sends it to C. If the message has been authenticated by B even once, A simply 
authenticates msg^f* 1 (A, B) A using B's key and sends it to C. 

Ey.asf a tj\ . OT1 j ^ „Ei:a 3 . 



2. Receive incoming messages of round i: A obtains messages msg i 1 '" 3 (A, B) A and msg i 1 ' a3 (C, B)c 



via B. Likewise, via A, A obtains messages msg i 1 ' a ' i (B, A)b and msg i 1 ' 0i3 (C, A)( 



Lemma 7 A can ensure Vq ~ V^. 1 '" 3 and V A , ~ V A 1,a ' i . 

Proof: Owing to the symmetry of C, the proof is very similar to the proof of Lemma 3. Details 
omitted. ■ 

Lemma 8 In execution a, players C and A' output 1. 

C A' 

Proof: From Lemma 7, we have E\ : a^ ~ a and E\ : 03 ~ a. From Definition 2, A and C will 

output 1 in E\ : 03- Then, so must A' and C in a. m 

4.2 Finale 

We now proceed to proving the main result of this work. 

Theorem 9 (Main Theorem) ABG over n players, tolerating a t-adversary, can be self-composed 
in parallel for any number of executions if and only if n > 2t. 

Proof: By combining Lemma 10 and Lemma 11. ■ 

Lemma 10 If n < 2t, then there does not exist any ABG protocol that self-composes in parallel 
even twice (A2) over a network of n players, tolerating a t-adversary. 

Proof: Our proof demonstrates that if n < 2tx + min(tx,t2), ti > 0, then there does not exist any 
A2, over a network (.A/ 7 ) of n players tolerating a (£1, ^-adversary. Here, tx and £2 are the number 
of players that the adversary can corrupt in the two parallel executions E\ and E2, respectively, 
of A2 such that ii+fo < t (dubbed as (£1, ^-adversary). Substituting tx = t — 1 and £2 = 1 in 
n < 2£i + min(tx,t2), gives the impossibility of A2 when n < 2£. Hence, the Lemma. 
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To show the impossibility of A2 when n < 2t\ + min(t\,t2), ti > 0, we assume otherwise 
and arrive at a contradiction. For the purpose of contradiction, we assume the existence of A2 
over A/ 7 such that n < 2ti + min(t\,t2), ti > 0, tolerating a (£i,i2)-adversary. Using A2, we 
construct a protocol II2 over a network Af of 3 nodes, ¥={A,B,C}, that tolerates an adversary 
basis A = {((C), (A)); ((A), (0)); ((B), (A))}. But this contradicts Theorem 2, hence the assumed 
protocol A2 cannot exist. 

Construction of II2 from A2 is as follows: partition the n players in J\f' into three, mutually 
disjoint, non-empty sets I a, Ib and Ic such that \Ia\ < min(ti,t2), \Ib\ < *i and \Iq\ < t\. 
Since n < 2£i + min(ti,t2), such a partitioning is always possible. The edges in A/"' can then be 
considered as bundle of edges between the sets I a, Ib and Ic- Let E±, E2 be two parallel executions 
of A2. Since A2 tolerates (£i,£2)-adversary, then A2 will tolerate an adversary, A, characterised by 
adversary basis {((Ic), (I a))] ((Ia), (0)); ((Ib), (Ia))}- Let the corresponding parallel executions of 
II2 be E[ and E' 2 . Player i, i G {A,B,C}, in execution E[, I € {1,2}, simulates all the players in 
set Ii in execution E\. W.l.o.g, let the honest, passively corrupt and Byzantine faulty players in E[ 
simulate the honest, passively corrupt and Byzantine faulty players respectively in E[. 

Player i in Ei simulates players in Ii in E\ as follows: player i keeps a track of the states of 
all the players in Jj. It assigns its input value to every member of Ii and emulates the steps of all 
the players in Ii as well as the messages communicated between every pair of players in Ii. If any 
player in Ii sends a message to any player in Ij, j G {A, B,C},i ^ j, then player i sends exactly 
the same message to player j. If any player in Ii terminates then so does player i. If any player in 
Ii decides on a value v, then so does player i. 

We, now, show that if A2 satisfies Definition 2 tolerating A, then so does II2 tolerating 
A = {((C), (A)); ((A), (®));((B),(A))}. Let i and j, (i / j), be two non-faulty players (honest 
or passively corrupt but not Byzantine faulty) in execution Ei of II2. Player i (likewise j) simulates 
at least one player in Ii (Ij) in execution E[. Since both i,j are non- faulty in E[, then so are all 
the players in Ii,Ij in E[. If the General is non-faulty in E[ and starts with a value v, then in 
Ei too, the General is non-faulty and starts with a value v. Hence, as per the definition of ABG 
[Definition 2], all the players in Ii, Ij in execution Ei must decide on value v. Then, so should 
players i,j in E[. If the General is faulty in Ei, then so is the General in E\. As per the definition 
of ABG all the players in Ii, Ij in execution Ei must have the same output. Then, so should players 
i, j in E[. This implies II2 satisfies Definition 2 tolerating A, contradicting Theorem 2. ■ 

We now show that the bound of n < 2£ is tight. For this we present a protocol - EIGPrune + 
(Figure 13) and prove that if n > It, then EIGPrune + remains a valid ABG protocol under any 
number parallel self-compositions (Lemma 11). EIGPrune + is based on a sequence of transforma- 
tions on EIG tree [BNDDS87]. [Lyn96, page 108] gives an excellent discussion on the construction 
of EIG tree. EIGPrune + is essentially same as EIGPrune protocol [GGBS10]', barring two mi- 
nor additions - (i) Each concurrent execution of the protocol is augmented with a Unique Session 
Identifier (USID). (ii) Non- faulty players in any concurrent execution reject any message that does 
not carry a valid USID. We remark that like EIGPrune, EIGPrune + is also exponential in the 
number of messages. However, owing to the simplicity and intuitive appeal of the protocol we 
present the same as it makes the discussion very lucid. The exponential nature of the protocol is 
not a serious concern as using well known techniques in literature [BNDDS87], it can be converted 
into an efficient protocol. 

Definition 6 (Prune(EIG)) It takes an EIG tree as an input and deletes subtrees say Sj l (subtree 



7 For the benefit of the reader we reproduce EIGPrune, as proposed by Gupta et al., in Appendix A. 
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In every concurrent execution: 

1. The General Q send his value to every player. 

2. On receiving this value from Q, every player assumes it be his input value and exchanges messages 
with others as per EIGStop protocol [Lyn96, page 103] for t + 1 rounds. 

3. At the end of t + 1 rounds of EIGStop protocol, player pi discards any messages that does not have a 
valid authentication or USID and invokes Prune(EIG) [Definition 6]. 

4. Player pi applies the following decision rule - take majority of the values at the first level (i.e. all the 
nodes with labels I such that I £ P) of its EIG tree. If a majority exists, player pi decides on that 
value; else, pi decides on default value, vq. 



Figure 13: EIGPrune + Protocol 

rooted at a node whose 's label is j in EIG tree of player i) as given in the sequel. For each subtree 
Sj l , where label j £ P, a set Wj is constructed that contains all distinct values that ever appears in 
If \Wj\ > 1, Sj l is deleted and modified EIG tree is returned. 
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Our proof of correctness of EIGPrune + is based on the idea developed by Lindell et al. [LLR02], 
wherein, the security of a protocol in the concurrent setting is reduced to the security of the protocol 
in the stand alone setting. In our case, to ensure that this reduction is correct, we must account 
for the possibility of the players being (implicitly) passively corrupt in an execution (from the 
observation made in section 2.2). For this reason, we use a variant of ABG - christened as ABG m i x , 
proposed by Gupta et al. [GGBS10], as the stand alone setting for our reduction. 

Gupta et al. studied (stand alone) ABG in the presence of a mixed adversary that can corrupt up 
to any t\, players actively and up to another t p players passively (dubbed as (£ft,£ p )-adversary). The 
adversary, thus, can forge the signatures of all £& + t p players. Further, Gupta et al. require all the 
passively corrupt players to always output a value same as the output of the honest players. They 
prove that (stand alone) ABG m i x over a completely connected synchronous network of n players 
tolerating a (t(,,i p )-adversary, t p > 0, is solvable if and only if n > 2% + min(tb,t p ). It is easy 
to see that like EIGPrune, EIGPrune + is also a correct protocol for ABG m i x . By substituting 
tb = t — 1 and t p = 1, their result can be extended to achieve a bound of n > It. 

Lemma 11 EIGPrune + over n players, tolerating a t-adversary, is a valid ABG protocol that 
self-composes for any number of parallel executions if n > It. 

Proof: Let ^(idi), ^(icfo )>•••> ^(idi) s be I parallel executions of EIGPrune + . For the purpose 
of contradiction assume that there exists an adversary, A, that attacks these I parallel executions 
and succeeds in execution ^>(idi), for some i £ (1,1). Using A we construct an adversary A' that 
is bound to succeed in the (stand alone) execution, <p, of EIGPrune for ABG m ix- This contradicts 
the results of Gupta et al., hence the Lemma. 

Our construction of A' requires A' to internally simulate the parallel executions ^/(idi), ^(iefo), • • • 
^f(idi). For this to happen, A' must be able to simulate the signatures generated by the honest 
players in these executions. To facilitate the same we assume A' is given access to all the oracles 9 
S^id(ski, ■),..., S^id(sk n , ■). Further, to ensure that the above simulation is perfect we augment 



a ^(idi) denotes the use of USID in the i th concurrent execution of Vt. 

9 Players use the signature scheme, ((Gen,Sid,Vid),S-,id), developed by Lindell et al. [LLR02]. We present a brief 
overview of the same in Appendix B. 
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the stand alone execution, <p, of EIGPrune for ABG m i x with USID - ip(id). It is easy to see that 
this augmentation has no bearing on the correctness of EIGPrune. Formally, for ABG m i x , if (p is 
a correct execution of EIGPrune, then so is ip(id). 

Construction of A' is as follows: A' internally incorporates A and attacks (p(id) as given in 
the sequel. A' selects an execution i, i G (1, Z), and sets id=idi. Then, A' invokes A and sim- 
ulates the concurrent executions of if?(id\) . . . if?(idi) for A. A' does this by playing the roles of 
the non- faulty players in all the executions but if? (id). Since A' has access to the signing oracles 
S-,id(ski, •))•••) S^id(sk n , ■), it can generate signature on behalf of honest players in all the exe- 
cutions if?(idj), j 7^ i. In if? (id), A' externally interacts with the non-faulty players and passes 
messages between them and A. A' interacts with the players in if?(idi) in exactly the same manner 
as A interacts with players in if?(idi). Note that this is possible because if A forges messages on 
behalf of some player in if?(idi) by active corrupting this player in if?(idj), j ^ i; then A' can do 
the same by passively corrupting this particular player in if? (id). Since, A' never queries the oracle 
for messages whose prefix is id. Therefore, the emulation by ^4'of the concurrent executions for A 
is perfect. Thus, if A succeeds in breaking if?(id), then A' will break ip(id). ■ 

5 Closing Remarks 

In this paper we argue for the need of a better model for studying self composition of ABG protocols. 
We propose a new model to study composition of ABG protocols and show that, in this model, 
unique session identifiers aid in improving the fault-tolerance of ABG protocols (that compose in 
parallel) but from n > 3t only ton > 2t. Note that, in the stand alone setting, ABG is possible for 
n > t. Thus surprisingly, USID's may not always achieve their goal of truly separating the protocol's 
execution from its environment to the fullest extent. However, for most functionalities, USID's 
indeed achieve their objective, as is obvious from Universal Composability (UC) theorem [CanOl]. 
Besides proving (im-)possibility results for self composition of ABG, our work also brings to 
forefront a few minor, yet interesting and undesirable properties of UC framework. It will nice to 
see if one can fine tune UC framework to this end. Further, with respect to composition of ABG 
protocols, we show that the worst-case adversary (with respect to a given execution) is not the 
one that corrupts players at full-throttle across all protocols running concurrently in the network. 
There may be several other problems apart from ABG wherein similar anomaly holds. It is an 
intriguing open question to characterize the set of all such problems. Further, from our results of 
n > 2t, it appears that studying self composition of ABG protocols over general networks will be 
interesting in its own right. 
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A EIGPrune Protocol [GGBS10] 

For the benefit of the reader, we now reproduce the protocol proposed by Gupta et al. (Figure 14). 
It is obtained by a sequence of transformations on EIG tree [BNDDS87]. [Lyn96, page 108] gives 
an excellent discussion on the construction of EIG tree. All the messages exchanged during the 
protocol are signed/authenticated. We only give the protocol here. The proof of its correctness in 
stand alone setting for the problem of ABG m i x can be found in [GGBS10] 



EIGPrune Algorithm 

General Q send his value to every player. Every player assumes this value from the Q as his input 
value and exchanges messages with others as per EIGStop protocol [Lyn96, page 103] for t\ ) + t p + 1 
rounds. 

At the end of t\, + t p + 1 rounds of EIGStop protocol, player pi invokes Prune(EIG) [Definition 7]. 
Player pi applies the following decision rule - take majority of the values at the first level (i.e. all 
the nodes with labels I such that I € P) of its EIG tree. If a majority exists, player pi decides on 
that value; else, pt decides on default value, vq. 



Figure 14: EIGPrune algorithm 

Definition 7 (Prune(EIG)) This method that takes an EIG tree as an input and deletes subtrees 
say subtree^ 1 (subtree/ refers to a subtree in i 's EIG tree such that the subtree is rooted at node 
whose's label is j) ofi's EIG tree as given in the sequel. For each subtree subtree/, where label 
j £ P, a set Wj is constructed which contains all distinct values that ever appears in subtree j l . If 
\Wj\ > 1, subtree/ is deleted and modified EIG tree is returned. 

B Lindell et al/s Signature Scheme 

We present an overview of the signature scheme ((Gen,Sid,Vid),S^id) developed by Lindell et 
al. [LLR02]. They define a signature scheme as (Gen,S,V) where S,V are are algorithms for 
signing and verification of any message. Gen is used to generate signature and verification keys 
for a particular player (say Pk) and defined as a function: (l) n — > (vk,sk). A signature scheme 
is said to be a valid one if honestly generated signatures are almost always accepted. Formally, 
with non negligible probability, for every message m, Y(vk,m,S(sk,m)) = 1, where (vk,sk) <— 
(l) n . They model the valid signatures that adversary A can obtain in a real attack via a signing 
oracle S(sk, •). A is defined to succeed in generating a forged message m* if A given vk, access to 
oracle S(sk, •) can generate a pair (m*,a*) such that if Q m is the set of oracle queries made by 
A then V(vk,m* ,c*) = 1 holds true if m* g 1 Q m . A signature scheme is said to be existentially 
secure against chosen-message attack if A cannot succeed in forging a signature with greater than 
non-negligible probability. They further model any information gained by A from any query with 
another oracle Aux(sk,.). However, this oracle cannot generate any valid signature but provides 
any other auxiliary information about the query. They assume some scheme say (Gen,S,V) to be 
secure against chosen-message attack and show how to construct a secure scheme (Gen, Sid,Vid) 
from it where Sid(sk,m) = S(sk,id o m) and Vid(vk,m,a) = V(vk,id o m,o~). For the new scheme 
they define the oracle Aux(sAv) = S^id{sk,m) where S^id(sk,m) = S(sk,m) if the prefix of m is not 

25 



id else S^id{sk,m) = _L. Further, they assume tt to be a secure protocol for ABG using signature 
scheme (Gen,S,V). They define modified protocol 7v(id) to be exactly same as tt except that it 
uses signature scheme (Gen,Sid,Vid) as defined above. They further prove as to why ((Gen,Sid,Vid), 
S^id) is secure against chosen-message attack. Intuition behind the proof is the fact that if the 
prefix ofm/ id, then S^id(sk,m) = S(sk,m) which is of no help to the adversary as any successful 
forgery must be prefixed with id and all oracle queries to S-,id must be prefixed with id' 7^ id. 
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